| Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method -> Monitor Keywords |
|
|
  Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring methodUSPTO Application #: 20070204257Title: Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method Abstract: The software operation modeling device includes a function call order obtaining unit and a model generator. The function call order obtaining unit obtains or estimates an issuing order of function calls executed in each of specific events in the course of executing software. The model generator statistically grasps a co-occurrence relationship between the specific event and the issuing order of the function calls obtained or estimated by the function call order obtaining unit, and to record the grasped co-occurrence relationship as an operation model of the software. (end of abstract) Agent: Oblon, Spivak, Mcclelland, Maier & Neustadt, P.C. - Alexandria, VA, US Inventors: Akira Kinno, Takehiro Nakayama USPTO Applicaton #: 20070204257 - Class: 717100000 (USPTO) Related Patent Categories: Data Processing: Software Development, Installation, And Management, Software Program Development Tool (e.g., Integrated Case Tool Or Stand-alone Development Tool) The Patent Description & Claims data below is from USPTO Patent Application 20070204257. Brief Patent Description - Full Patent Description - Patent Application Claims
CROSS REFERENCE TO RELATED APPLICATIONS [0001] This application is based upon and claims the benefit of priority from prior Japanese Patent Application P2005-342717 filed on Nov. 28, 2005; the entire contents of which are incorporated by reference herein. BACKGROUND OF THE INVENTION [0002] 1. Field of the Invention [0003] The present invention relates to a software operation modeling device, a software operation monitoring device, a software operation modeling method, and a software operation monitoring method. [0004] 2. Description of the Related Art [0005] All computing machines including personal computers (PCs), workstations, servers, routers, cellular telephones, personal digital assistances (PDAs) are exposed to attacks from outside and from within. A typical attack takes advantage of vulnerability of software executed by the computing machines. An attacker sends a malicious code to a computing machine by exploiting the software vulnerability to seize control of a process in execution, and carries out an unauthorized operation while making use of an authority for that process. [0006] An anomaly detecting system which models a normal operation of a program, and which determines presence or absence of a deviation from the model in the course of executing the program, has been provided for detecting attacks taking advantage of the vulnerability, and particularly for detecting unknown attacks. A system call is a command issued when the process requests a kernel for an important task in the system. The attacker causes the system to execute an arbitrary action by use of the system call as if it is requested by the process. For this reason, validity of the system call is verified at the time of monitoring the operation of the program. [0007] As a method of verifying a validity of a system call during execution of a program, for example, there has been disclosed an anti-attack device including a system call table, a validity inspection functioning unit, an anti-attack functioning unit and a system call. The device checks whether a function requesting a system call is in code area or not. When it is not in the area, the device decides that the request is abnormal. The system call table inputs a system call request issued by a program (a task), and outputs a jump address to the validity inspecting functioning unit. The validity inspection functioning unit determines the validity of the system call request by use of a return function address of a system call issuer, the return function address being stored in a specified memory area by an operating system (OS) at the time of issuing the system call request, and outputs a determination result. In a case where presence of an unauthorized system call request is determined, the validity inspection functioning unit rejects the system call request. The anti-attack functioning unit inputs a result of determination on the unauthorized system call, the determination being made by the authority inspection functioning unit, and takes measures. The system call is called out by inputting a result of determination on an authorized system call request, the determination being made by the authority inspection functioning unit, and executes a command (for example, see JPA2004-126854 which is hereinafter referred to as Patent Document 1). [0008] Meanwhile, in order to verify an authority of a system call, there has been disclosed an attack detection system which utilizes a state of a call stack (a return address sequence loaded on a stack) (for example, see H. Feng et al., "Anomaly Detection Using Call Stack Information," The proc. of IEEE Symposium on Security and Privacy 2003, pp. 62 which is hereinafter referred to as Non-patent Document 1). This system is configured to execute a program first in advance, and is configured to learn a model by use of an obtained result. In the course of executing the program, the system obtains a state of a call stack at the time when a system call occurs, and generates a virtual stack list recorded together with a program counter at the time when the system call occurs. Moreover, the system sequentially executes comparative verification from a bottom stack of a state of a call stack targeted for comparison, and thus finds a different return address. Accordingly, the system generates a subsequent return address sequence (a virtual path). A hash table is formed by use of the virtual stack list and the virtual path thus generated, and the table is used as a program model. When verifying the program, the virtual stack list and the virtual path are formed in the course of executing the program. The system then conducts the matching of the list and the path with those of the hash table used as the model. If the virtual stack list and the virtual path match those of the hash table, a system call request is permitted. If not, the system call request is determined as abnormal. [0009] In an OS such as Linux, a system call is usually issued by use of a wrapper function. Since the wrapper function is located in a code area, the function of the system call issuer always exists in the code area. In a case of a Return-to-libc attack representing a typical attack, the attacker induces the OS to return to "libc," and thereby issues an arbitrary system call. Considering this situation, there is an attack undetectable by the anti-attack device disclosed in Patent Document 1 because this device determines the validity of the address of the function of the system call issuer located in the code area. On the other hand, the attack detection system disclosed in Non-patent Document 1 performs verification by use of the return address loaded on the call stack. In this context, it is likely that the system performs more detailed modeling than the anti-attack device as disclosed in Patent Document 1. Accordingly, it is likely that the attack detection system disclosed in Non-patent Document 1 reduces chances of overseeing the attacks as compared to the anti-attack device disclosed in Patent Document 1. [0010] Nevertheless, the attack detection system disclosed in Non-patent Document 1 performs hash matching at the time of verification. For this reason, if the system fails to learn sufficiently at the time of modeling, the system is forced to determine a normal state as an anomaly (false alarm) when an unlearned action occurs at the time of verification. As a result, the incidence of the false alarm may be increased. [0011] Meanwhile, it is important to accelerate processing with limited resources, and to suppress memory usage in order to mount a system for verifying operation on a computing machine such as a cellular telephone with a small processing capacity. SUMMARY OF THE INVENTION [0012] In view of the foregoing problems, it is an object of the present invention to provide a software operation modeling device, a software operation monitoring device, a software operation modeling method, and a software operation monitoring method, which makes it possible to reduce false alarm while achieving acceleration of processing with limited resources and suppression of memory usage. [0013] A first aspect of the present invention is to provide a software operation modeling device, including: (a) a function call order obtaining unit configured to obtain or estimate an issuing order of function calls executed in each of specific events in the course of executing software, and (b) a model generator configured to statistically grasp a co-occurrence relationship between the specific event and the issuing order of the function calls obtained or estimated by the function call order obtaining unit, and to record the grasped co-occurrence relationship as an operation model of the software. [0014] A second aspect of the present invention is to provide a software operation modeling method, including: (a) obtaining or estimating an issuing order of function calls executed in each of specific events in the course of executing software, and (b) statistically grasping a co-occurrence relationship between the specific event and the obtained or estimated issuing order of the function calls, and recording the grasped co-occurrence relationship as an operation model of the software. [0015] A third aspect of the present invention is to provide a software operation monitoring device, including: (a) an operation model obtaining unit configured to statistically grasp a co-occurrence relationship between each of specific events issued by software which is monitored and an issuing order of function calls executed in the specific event, and to obtain an operation model indicating the grasped co-occurrence relationship, (b) a function call order obtaining unit configured to obtain or estimate the issuing order of the function calls executed by the software in the course of executing the software, and (c) an operation monitoring unit configured to determine a deviation, from the operation model, of the co-occurrence relationship between the specific events and the issuing order of the function calls obtained by the function call order obtaining unit. [0016] A fourth aspect of the present invention is to provide a software operation monitoring method, including: (a) statistically grasping a co-occurrence relationship between each of specific events issued by software of a monitoring target and an issuing order of function calls executed in the specific event, and obtaining an operation model indicating the grasped co-occurrence relationship, (b) obtaining or estimating the issuing order of the function calls executed by the software in the course of executing the software, and (c) determining a deviation, from the operation model, of the co-occurrence relationship between the specific events and the obtained or estimated issuing order of the function calls. BRIEF DESCRIPTION OF THE DRAWINGS [0017] FIG. 1 is a block diagram showing a configuration of a software operation modeling device according to a first embodiment of the present invention. [0018] FIG. 2 is a conceptual diagram for explaining stack information according to the first embodiment. [0019] FIG. 3 is a flowchart showing operations of a stack information obtaining unit according to the first embodiment. [0020] FIG. 4 is a view showing an example of the stack information according to the first embodiment. Continue reading... Full patent description for Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method Brief Patent Description - Full Patent Description - Patent Application Claims Click on the above for other options relating to this Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method patent application. ###  How KEYWORD MONITOR works... a FREE service from FreshPatents1. Sign up (takes 30 seconds). 2. Fill in the keywords to be monitored. 3. Each week you receive an email with patent applications related to your keywords. Start now! - Receive info on patent apps like Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method or other areas of interest. ### Previous Patent Application: Net routing Next Patent Application: Method of invoking inlined method and java virtual machine using the method Industry Class: Data processing: software development, installation, and management ### FreshPatents.com Support Thank you for viewing the Software operation modeling device, software operation monitoring device, software operation modeling method, and software operation monitoring method patent info. IP-related news and info Results in 4.58373 seconds Other interesting Feshpatents.com categories: Qualcomm , Schering-Plough , Schlumberger , Seagate , Siemens , Texas Instruments , |
||
